arXiv:1501.03353v 1 [cs.CR] 14 Jan 2015 


PriCL: Creating a Precedent 
A Framework for Reasoning about Privacy Case 

Law 


Michael Backes, Fabian Bendun, Jorg Hoffmann, and Ninja Marnau 
CISPA, Saarland University 

{backes.bendun,hoffmann,marnau}®cs.uni-saarland.de 


Abstract. We introduce PriCL: the first framework for expressing and 
automatically reasoning about privacy case law by means of precedent. 
PriCL is parametric in an underlying logic for expressing world prop¬ 
erties, and provides support for court decisions, their justification, the 
circumstances in which the justification applies as well as court hierar¬ 
chies. Moreover, the framework offers a tight connection between privacy 
case law and the notion of norms that underlies existing rule-based pri¬ 
vacy research. In terms of automation, we identify the major reasoning 
tasks for privacy cases such as deducing legal permissions or extract¬ 
ing norms. For solving these tasks, we provide generic algorithms that 
have particularly efficient realizations within an expressive underlying 
logic. Finally, we derive a definition of deducibility based on legal con¬ 
cepts and subsequently propose an equivalent characterization in terms 
of logic satisfiability. 


1 Introduction 

Privacy regulations such as HIPAA, COPPA, or GLBA in the United States 
impose legal grounds for privacy |3H37l38j . In order to effectively reason about 
such regulations, e.g., for checking compliance, it is instrumental to come up 
with suitable formalizations of such frameworks along with the corresponding 
automated reasoning tasks. 

There are currently two orthogonal approaches to how regulations are ex¬ 
pressed and interpreted in real life that both call for such a formalization and 
corresponding reasoning support. One approach is based on providing an explicit 
set of rules that define what is allowed and what is forbidden. The alternative 
is to consider precedents and case law, which is the approach predominantly 
followed in many countries such as the US. Precedents are cases that decide a 
specific legal context for the first time and thus serve as a point of reference 
whenever a future similar case needs to be decided. Moreover, even judges in 
countries that do not base their legal system on precedents often use this mech¬ 
anism to validate their decision or shorten the process of argumentation. 

Case law is particularly suitable for resolving vague formulations that nat¬ 
urally occur in privacy regulations like the definition of ‘disclosure’ in COPPA: 




“The term ‘disclosure’ means [...] the release of personal information collected 
from a child in identifiable form”. Here, case law could reference decisions that 
define what circumstances are qualified as a non-identifiable form of personal 
data, thereby aiding the user by providing judicially accurate interpretation of 
such terms. 

While rule-based frameworks have received tremendous attention in previous 
research (see the section on related work below) there is currently no formaliza¬ 
tion for case law that is amenable to automated reasoning. 

Our contribution. Our contribution to this problem space is threefold: 

— We derive important legal concepts from actual judicial processes and rele¬ 
vant requirements from related work. The resulting framework PriCL, can 
be applied to the judicature of many different countries as it does not assume 
any specific argumentation. 

— We tailor the framework for privacy regulations. In particular, our privacy 
specific case law framework is compatible with former policy languages since 
it has only minimal requirements regarding the logic. Therefore, it is possible 
to embed other formalizations into our framework. 

— We define the major reasoning tasks that are needed to apply the framework 
to privacy cases. In particular, these tasks allow us to derive requirements 
for the underlying logic which we analyze. Several logics allow an embedding 
of the reasoning tasks by giving an equivalent characterization of the tasks. 
Consequently, we are able to select a well suited logic. 

In total, the case law framework that we introduce gives a new approach for 
compliance with privacy regulations. In particular, it makes it possible to im¬ 
plicitly use any regulation if it was previously referenced by a judge. Moreover, 
it also provides for reasoning tasks in cases where no regulation is applicable but 
judicial precedents exist. 

Related work. There are plenty of privacy regulations that companies are 
required to comply with. In the US there are regulations for specific sectors, 
e.g., HIPAA for health data, COPPA for children’s data, or GLBA and RFPA 
for financial data. In the EU, the member states have general data protection 
codes. The legislative efforts to harmonize these national codes via the EU Data 
Protection Regulation [22] are proceeding and already provide for identifying 
legislative trends. The importance and impact of these privacy regulations has 
brought the interpretation thereof to the attention of more technically focused 
privacy research I28ll0l2l21ll5l32l . 

Policy languages were mainly developed in order to model these regulations 
and to reflect companies’ policies. Many of the modern logics modeling regula¬ 
tions are based on temporal logic [24l1 2ll Dl.lfilTTj and were successfully used to 
model HIPAA and GLBA [20' and should be applicable to other regulations as 
well. While these logics focus on expressiveness in order to reflect the regula¬ 
tions, the logics for company policies focus on enforcement m and thus also on 
authorization |1I5) . Consequently, company policies are mostly based on access 
control policies [301261 . 
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Bridging the gap between the regulation policies and the company’s policies 
leads to automating compliance checks [35]. For many deployed policies, i.e., 
the ones that are efficiently enforceable, this is currently not possible due to 
the lack of decidability regarding the logics used to formalize regulations. How¬ 
ever, for these cases there exist run-time monitoring tools that allow compliance 
auditing on log files [10124113112] . In particular, such auditing was invented for 
HIPAA [M|- 

A different approach for achieving compliance is guaranteeing privacy-by¬ 
design [20117125] . However, the policy of these systems still needs to be checked 
for compliance with the relevant privacy regulations. 

There is also an orthogonal approach when designing privacy policies that 
focus on the end user, i.e., designing a policy that is formal and can be formu¬ 
lated in an user-understandable way [3b First attempts using P3P [1813314] were 
unsuccessful. However, it is important to incorporate the user in the process of 
policy design in order to gain her trust [77123] . 

2 Ingredients 

In the first step we illustrate which components are essential for a case law frame¬ 
work. To that end, we analyze actual judicial processes and derive ingredients 
for the framework from the relevant legal principles. In particular, the court de¬ 
cision and its justification give insights into how the decision is made and which 
judicial concepts have to be reflected by our framework. Hence, in the following, 
we analyze a representative court decisiorQ and discuss the implications for our 
framework. 

The conflict. “This matter involves three certified questions from the Circuit 
Court of Harrison County regarding whether applicable state and federal privacy 
laws allow dissemination of confidential customer information by an insurance 
company to an unaffiliated third party during the adjustment or litigation of an 
insurance claim. ” 

Every case reaching a court is based on a conflict, i.e., there is some question, 
as the one above, for which different parties have different opinions on its truth 
valued As a requirement for the framework, we can conclude that there has to 
be a conflict that needs to be resolved by a decision. This decision can be an 
arbitrary statement; hence, we call it a decision formula. 

Sub-cases. A decision’s justification usually involves decisions of several sub¬ 
cases in order to arrive at the final decision formula, e.g. the court needs to 

1 The quotes are taken from MARTINO v. BARNETT, Supreme Court of Appeals of 
West Virginia, No. 31270, Decided: March 15, 2004. The decision text is public at 
http://caselaw.findlaw.com/wv-supreme-court-of-appeals/1016919.html 

2 In the example case, the parties are a plaintiff, who was injured in a car accident, 
and an insurance company, which refused to disclose the home address of the other 
person involved in the accident. The insurance company claimed that to do so would 
violate the privacy provisions of the Gramm-Leach-Bliley-Act (GLBA) and the West 
Virginia Insurance Commission’s Privacy Rule. 
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decide whether a specific law is applicable before examining what follows from its 
application. Each of these individual sub-case decisions may become a precedent 
for decisions which deal with a similar sub-case. 

The circumstances. “[The plaintiff] concedes that under the definitions of the 
GLBA [...] information he requests is technically nonpublic personal information 
of a customer which the Act generally protects from disclosure to nonaffiliated 
third parties. ” 

Every case contains some factual background. These facts constitute some 
statements which are not under discussion but measurably true, e.g., that an 
address is nonpublic personal information. We summarize these facts in a case 
description. 

Referencing related court decisions. “[T]he United States District Court 
for the Southern District of West Virginia handed down an opinion in Marks 
v. Global Mortgage Group, Inc., 218 F.R.D. j92 (S.D.W.Va.2003), providing us 
with timely and pertinent considerations. ” 

The key of case law is referencing other cases in order to derive statements. 
In the example case, this capability is used to introduce an argumentation from 
a different court. This mechanism is also used when statements are derived 
from regulations. Consequently, the framework has to be capable of introducing 
statements during the case justification by references to their origin. 

Argumentation structure of the justification. “[The] GLBA provides ex¬ 
ceptions to its notification and opt-out procedures, including [...]” 

The argumentation structure of the justification is not linear, i.e., of the 
form A => B => ... =^. But the arguments can be ordered in a tree form. 
The exceptions stipulated by the GLBA are enumerated and then discussed 
in the case justification. If more than one is applicable, these may serve as 
independent decision grounds , each being a potential precedent in its own right H 
As a consequence, we believe that a proof tree fits the overall structure best. 

World knowledge. “[We] conclude that nonpublic personal information may 
be subject to release pursuant to judicial process. ” 

In the argumentation, the court leaves to the reader’s knowledge that the 
plaintiff’s litigation actually is a “judicial process”. These open ends in the ar¬ 
gumentation are neither explicitly covered by a decision nor by a case reference. 
Therefore, we need some world knowledge KBw that will cover these axiomatic 
parts of the argumentation. 

Precedents and stare decisis. The doctrine of stare decisis (to stand by things 
decided) or binding precedents is unique to common law systems. The decisions 
of superior courts are binding for later decisions of inferior courts ( vertical stare 
decisis). These binding precedents are applied to similar cases by analogy. 

A special case is the binding nature of previous decisions on the same hier¬ 
archical level or by the deciding court itself ( horizontal stare decisis). While the 
details of binding precedents of different courts on the same level is subject to 

3 O’Gilvie v. United States, 519 U.S. 79, 84 (1996). 
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an ongoing scholarly debate, a court reversing itself is a more infrequent occur¬ 
rence but usually has high impact (for example, in the years 1946-1992, the U.S. 
Supreme Court reversed itself in 130 caseQ) and needs to be reflected in our 
framework [f] 

In addition to the binding precedent, there also exists the persuasive prece¬ 
dent: “While we recognize that the decision of the Marks court does not hind 
us, we find the reasoning in Marks regarding a judicial process exception to the 
GLBA very persuasive and compelling”. 

Here, a court is not bound by an earlier decision, in our example because the 
earlier decision was made by an inferior court, but finds the argumentation so 
persuasive that it is voluntarily used as a precedent. 

Stare decisis does not apply in civil law systems, like those of Germany 
or France. However, these systems have a jurisprudence constante, facilitating 
predictable and cohesive court decisions. Though civil law judges are not obliged 
to follow precedents, they may use prior decisions as persuasive precedents and 
oftentimes do so. 

Material difference. Stare decisis only applies if the subsequent court has to 
decide on a case or sub-case that is similar to the precedent. Therefore, if the 
court finds material difference between the cases, it is not bound by stare decisis. 
In practice, judges may claim material difference on unwarranted grounds, which 
may lead to conflicting decisions of analoguous cases within our framework. Thus, 
we need to be able to account for false material difference. 

Involving court hierarchies. “[W]e look initially to federal decisions inter¬ 
preting the relevant provisions of the GLBA for guidance with regard to the re¬ 
formulated question. However, the issue proves to be a novel one in the country 
since few courts, federal or state, have addressed the exceptions to the GLBA.” 

For our framework we need to take into account court hierarchies to identify 
binding precedents. In common law jurisdictions, inferior courts are bound by the 
decisions of superior courts; in civil law jurisdictions superior courts usually have 
higher authority without being strictly binding. In federal states like the USA 
or Germany we need to account for parallel hierarchies on state and on federal 
levels. This complex hierarchy has significant implications on stare decisisH 

4 Congressional Research Service — Supreme Court De¬ 
cisions Overruled by Subsequent Decision (1992). 

http://www.gpo.gov/fdsys/pkg/GPO—CONAN—1992/html/GPO-CONAN-1992-13. htm 
The U.S. Supreme Court has explained its practice as follows: “[WJhen convinced 
of former error, this Court has never felt constrained to follow precedent.” — Smith 
v. Allwright, 321 U.S. 649, 665 (1944) 

5 Federal and state supreme courts are allowed to overrule their own precedents. State 
Oil Co. v. Khan, 522 U.S. 3, 20 (1997); Freeman & Mills, Inc. v. Belcher Oil Co., 11 
Cal. 4th 85, 93 (1995). 

6 For example, state courts in the United States are not considered inferior to federal 
courts but rather constitute a parallel court system. While state courts must follow 
decisions of the United States Supreme Court on questions of federal law, federal 
courts must follow decisions of the courts of each state on questions of that state’s 
law. 
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Hence, in our framework every case needs to be annotated by a court which 
is part of a court hierarchy , to identify the character of precedents, binding or 
potentially persuasive. 

Ratio decidendi and obiter dicta. Regarding the court’s decision text, we 
need to differentiate between two types of statements. The actual binding prop¬ 
erty of a precedent has only those statements and legal reasoning that are neces¬ 
sary for the rationale of the decision. These necessary statements as called ratio 
decidendi and constitute the binding precedent. Further statements and reason¬ 
ing that are not essentially necessary for the decision are called obiter dicta. 
These are not binding but can be referenced as persuasive precedents. 

For our reasoning framework we need to differentiate and annotate state¬ 
ments into these two different categories to correctly identify binding precedents. 

3 Defining The PriCL Framework 

Reflecting the observations just made, we define cases (Section 13.11) and case 
law databases (Section 13.21) . Thereby we also explain how to model the legal 
principles described in Section [2] Then, we define how the database can be 
used in order to deduce facts outside the framework (Section 13.31) . We analyze 
our framework, validating a number of basic desirable properties of case law 
databases (Section 13.41) . We finally show, for privacy regulations specifically, 
that our framework matches the requirements identified by previous work [lOj 
(Section 13.51) . 

Throughout this section, we assume an underlying logic in which world prop¬ 
erties are expressed and reasoned about. Our framework is parametric with 
respect to the precise form of that logic. The requirements the logic has to 
fulfill are interpreting predicates as relations over objects, supporting universal 
truth/falseness (denoted respectively as T and _L), conjunction (denoted A), en- 
tailment (denoted A J= B if formula A entails formula B), and monotonicity 
regarding entailment, i.e., if A f= B then A A C |= B for any formula C. We will 
discuss later on (Section [5]) a particular kind of logics suitable in our setting. As 
an intuition when reading the following, the reader may assume we are using a 
first-order predicate logic. 

3.1 Introducing Cases 

As we have seen, a case consists of a decision formula, a case description, a court, 
and a proof tree. The first three components are straightforward to capture for¬ 
mally (courts are represented by a finite set Courts of court identifiers). Designing 
the proof tree is more involved since it needs to capture the judge’s justification. 
We distinguish between different kinds of nodes in the tree depending on the 
role the respective statements play in the justification: Does a sentence make an 
axiomatic statement, or form part of the case description? Does it refer to a pre¬ 
vious case, adopting a decision under particular prerequisites? Does it make an 
assessment on the truth of a particular statement (e.g., that a particular piece of 
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information is or is not to be considered private) under particular prerequisites? 
All such statements are “standalone” in the sense that they are not implications 
of previous arguments in the justification at hand. We therefore reflect them 
in the leaf nodes of the proof tree, categorized by the three different types of 
statements mentioned. 

The inner nodes of the tree perform logical deductions from their children 
nodes, representing the reasoning inherent in the justification, i.e., the conclu¬ 
sions that are made until finally, in the tree root, the decision formula is reached. 
Thereby, every inner node is annotated by an arbitrary formula. We differentiate 
between two kinds of reasoning steps, AND-steps and OR-steps.The OR-steps re¬ 
flect the principle of independent decision grounds , i.e., the cases that a judge 
increases legal certainty by listing arguments that all for themselves are sufficient 
for the conclusion. The AND-step is the natural conclusion steps that is used to 
ensure that the decision made is reached through the argumentation. 

In order to avoid a recursive definition, we need a (possibly infinite) set of 
case identifiers C/. Throughout the paper we assume a fixed given set Cj. This 
leads to the following definition: 

Definition 1 (Case). A case C is a tuple {df, CaseDesc, ProofTree, crt) such 
that 

— df is a formula that we call the decision formula of C. 

— CaseDesc is a formula describing the case’s circumstances. 

— ProofTree is a (finite) tree consisting of formulas f where the formula of the 
root node is df. Inner nodes are annotated with AND or OR and leaves are 
annotated with l £ {Axiom, Assess} U { Ref(i) \ i £ C/}. Leaf formulas l are 
additionally associated with a prerequisite formula pre. For leaves annotated 
with Axiom, we require that pre = l. 

— crt £ Courts. 

For leaf formulas l, we refer to l as the node’s fact, and we will often write these 
nodes as pre —t fact where fact = l. 

By the prerequisites of an inner node n with children nodes ni,...,nk, 
denoted as pres(n), we refer to \/ l<i<k pres{nf) if n is annotated by OR and 
/\i<i<k P res i n i) if n is annotated by AND. The prerequisites of a case C are the 
prerequisites of the root node and denoted by pres c . We define analogously the 
facts of a node and a case. We will often identify formulas with proof tree nodes. 
Given a case C, by dfc we denote the decision formula of C. 

Let C be a set of cases and p : C —>• C\ a function. If for every reference 
Ref(i) in C, there is an D £ C with p{D) = i, we call the set C closed under p. 

We assume world knowledge common to all cases. In the example of argumen¬ 
tation ends in Section [2l it is assumed that the reader knows that the predicate 
is_judical_process holds for any case. Formally, the world knowledge is a formula 
KBw (naturally, a conjunction of world properties) in the underlying logic. 

Definition |T| is purely syntactic, imposing no restrictions on how the different 
elements are intended to behave. We will fill in these restrictions one by one as 
part of spelling out the details of our framework, forcing cases to actually decide 
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a conflict and behave according to the legal principles. One thing the reader 
should keep in mind is that pre —> fact is not intended as a logical implication. 
Rather, pre are the prerequisites that a judge took into account when making 
the assessment that fact (e.g., the privacy status of a piece of information) is 
considered to be true under the circumstances CaseDesc \= pre. The pre —> fact 
dependencies thus model the human element in case law, which we consider to 
be outside of what we can capture with formal logic. This solely captures human 
decisions such as trade-off decisions. However, the frameworks allows reasoning 
about consequence of such decisions. The formulas pres c , and respectively factsc, 
collect all prerequisites needed to apply the proof tree, and respectively all facts 
needed to execute the proof tree; axiom leaves act in both roles. 

In principle, a case has the purpose to decide a formula df. However, while 
justifying that a formula holds, e.g., that a telecommunication company has to 
delete connection data after a certain amount of time, the court might decide 
other essential subquestions. In the given example, this could be that connection 
data is personal data. This concept is conveniently captured through the notion 
of subcases. 

Definition 2 (Subcase). Let C = ( df, CaseDesc, ProofTree, ert) be a case and 
n G ProofTree a node. Let sub(n ) be the subtree of ProofTree with root node n. 
The case sub(C,n) := (n, CaseDesc, sub{n), ert) is a subcase of C. 

Another aspect that is of interest when referencing cases is the degree of 
abstraction. For example, one case could decide that a specific telecommunica¬ 
tion company C has to delete connection information D of some user U after a 
specific time period t. The question of how this decision can be used in order 
to decide the question for different companies C or different information D' is 
covered by the legal concept of material difference. For this work, we assume 
that a judge specifies the allowed difference in the prerequisites of a decision. 
However, it could also be modeled by introducing metrics and thresholds when 
referencing (sub-(cases. 

Our definition of cases, so far, is generic in the sense that it may be applied 
to any domain of law. To configure our framework to privacy regulations more 
specifically, a natural approach is to simply restrict the permissible forms of 
decision formulas. We explicitly leave out legal domains such as individualized 
sentencing or measuring of damages. Decisions in the privacy context are about 
whether or not a particular action is legal when executed on particular data. We 
capture this by assuming a dedicated predicate isJegaLaction, and restricting the 
decision formula to be an atomic predicate of the form isJegaLaction(a), where a 
is an action from an underlying set Actions of possible actions treated as objects 
(constants) in the underlying logic. This can also be used in other legal domains, 
but it turns out to be sufficient to connect our formalization of privacy cases with 
other policy based approaches. Note that, in contrast to other policy frameworks, 
we do not need to add the context to the predicate, as the context is contained 
in the case, via nodes of the form “if the transfer-action a has purpose marketing 
and the receiver is a third party, then ~^isJegaLaction(a) ”. As decisions about the 



legality of actions are not naturally part of the common world knowledge KBw, 
nor of the case description CaseDesc itself, our modeling decision is to disallow 
the use of isJegaLaction predicates in these formulas. In other words, the world 
and case context describe the circumstances which are relevant to determining 
action legality, but they do not themselves define whether or not an action is 
legal. This yields the following definition: 

Definition 3 (Privacy Case). Given world knowledge KBw and action set 
Actions, a case C = (df, CaseDesc, ProofTree, crt) is a privacy case if df £ 
{^isJegaLaction(a), isJegaLaction(a)} for some action a £ Actions , where the 
isJegaLaction predicate is not used in either of KBw or CaseDesc. 

Starting to fill in the intended semantics of cases, i.e., of the structures allowed 
as per Definition [0 we first capture the essential properties a case needs to 
have to “make sense” as a stand-alone structure. Additional properties regarding 
cross-case structures will be considered in the next subsection. We will use the 
word “consistency” to denote this kind of property. The following definition 
captures the intentions behind cases: 

Definition 4 (Case Consistency). Let C = (df CaseDesc, ProofTree, crt) be 

a case. C is consistent if the following holds (for all nodes n where n\,... ,n^ 
are its child nodes) 

(i) KBw A CaseDesc \f= T (ii) KBw A CaseDesc |= pres c 

(Hi) KBw A CaseDesc A factsc T 

(iv) /\ nt \= n if n is an AND step and \=n if n is an OR step 

1 <i<k 

Regarding (i), if the world knowledge contradicts the case description, i.e., 
KBwACaseDesc \= _L, then the case could not have happened in reality. Similarly, 
(iii) the case context must not contradict the facts that the proof tree makes use 
of (this subsumes (i), which we kept as it makes the definition more readable). 
As for (ii), the case context must imply the axioms as well as the prerequisites 
which the present judge (assessments) or other judges (references to other cases; 
see also Definition [TJ assumed to conclude these facts, (iv) says that inner nodes 
must represent conclusions drawn from their children (remember here that rq, 
for leaf nodes pre — *• fact, refers to fact). 

The OR nodes of the proof tree reflect the legal argumentation structure of 
independent decision grounds, the judge gives several arguments, each of which 
is sufficient. If the judge of a later case decides that one of these arguments is 
invalid for the conclusion, he needs to be able to falsify only one of the branches 
and not the whole tree. In other words, the tree structure gives “syntactic sugar” 
that makes it possible to reflect the justification more closely and thereby marks 
which subsets of leaf nodes are sufficient in order to reach decision df. 

3.2 Combining Cases to Case Law Databases 

The quintessential property of case law is that cases make references to other 
cases. These references are necessary to formulate several legal principles of Sec¬ 
tion [2] 
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The legal principles false material difference and reversing decisions define 
requirements for when not to reference a case, either because it contains a mistake 
or because the opinion has changed over time. Therefore, we consider the design 
cleaner if both principles are covered by the same mechanism of the framework. 
There are several options to model the principles: first, the reversed decision 
could be covered by time, i.e., by a requirement to refer to the newest case that 
is applicable regarding the circumstances. However, the false material difference 
cannot be covered by that. Another approach is to denote single Assess nodes 
as unwarranted, i.e., to forbid the reference to be used thereafter. This solution 
can model both principles false material difference and reversing decisions. We 
explicitly decided to model the mechanism of unwarranted nodes outside of the 
cases. Assume a case would decide that another decision was unwarranted. This 
leads to another decision that could potentially be marked as unwarranted later 
on implying that it is again correct to cite the case. Consequently, this would 
lead to a set of time intervals during which the citation of nodes is warranted. 
However, after legal consultation we figure out that this complication does not 
meet practice, i.e., once a decision is unwarranted it will not become warranted 
again; hence we simplified the mechanism. 

We require a different mechanism to differentiate cases we must agree with 
and cases which we may use as reference. Unwarranting rather defines which 
decisions must not be referenced. In particular, we need to differentiate between 
assessments coming from the legal principles ratio decidendi and obiter dicta. 
While the part of the decision following ratio decidendi leads to a binding prece¬ 
dent, the obiter dicta part is not binding. Thus, we introduce predicates may-ref 
and must-agree. It also provides a mechanisms to respect the court hierarchy. In¬ 
tuitively, may-ref(Ci, Cf) denotes the circumstances that case Ci may reference 
case C 2 ; must-agree(Ci, Cf) analogously denotes that C\ must agree with Ch¬ 
in addition, we need to introduce the concept of time by a total order <t 
over cases. This concept allows us to formulate the requirement that references 
can only point to the past. Using all these constructs, we can define a case law 
database. 


Definition 5 (Case Law Database (CLD)). A case law database is a tuple 
DB = (C, < t , must-agree , may-ref, p, U) such that: 

— C is a set of cases. We will also write C € DB for C € C. 

— H : C —> Ci is an injective function such that C is closed under p. In the 
following we will also write Ref[D) for Ref(i) if p(D) = i. 

— Let < re f := {( C , D) \ D contains a Ref(C ) node} and <t is an order that we 
call time order of the cases. It has to hold: 

must-agree C 


^ red— 


may-ref C< t C CxC 


— U specifies the unwarranted nodes, i.e., U : C —X N is function such that 

• N is a subset of the nodes labelled with Assess or Ref in the cases C. 

• The set increases monotonic, i.e., C <t D =>■ /7(C) C /7(D). 

We denote the unwarranted nodes of DB by U(DB) := Ucec 
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The function p, is used to remove the recursive definition of a case and enables 
us to connect cases via their individual semantics. 

Regarding the relations must-agree and the may-ref we made two design de¬ 
cisions. First, we require to not link must-agree and the actual references < re f. 
On the one hand, there might be precedents which are not applicable, but on 
the other hand, we want the freedom to define must-agree and may-ref only 
depending on the court hierarchy, i.e., independent of the satisfaction of some 
precedent’s preconditions. The second design decision is to base these relations 
on cases instead of decision nodes. As for the first decision, the purpose is to 
make an instantiation of the definition only depending on the court, but we need 
to be careful regarding the principles ratio decidendi and obiter dicta. Since one 
of them is not binding, i.e., a must-agree and the other is. This differentiation 
can be achieved by replacing every case with a set of cases. We require this to 
be part of the modeling process.However, it is possible to automatically identify 
parts of the proof that are optional to reach the final decision in the root node. 

We did not add further restrictions since they may depend on local law. 
For example, there is a vertical stare decisis in US law, implying that higher 
court decisions have to be considered. There is also the term of horizontal stare 
decisis that requires respecting siblings in the hierarchy. This principle does not 
necessarily hold, but is under discussion. However, the definition of must- and 
may-references allows modeling both. 

Example 1 (Must-agree and may-references for a court hierarchy). As¬ 
sume the set of courts Courts is partially ordered by <§, i.e., there 
is a court hierarchy. In this case, we could model must-agree by 
must-agree = {{C 1 ,C 2 ) \ Q = (df i; d t ,Pi, crt*), i <E {1,2}, Ci < t C 2 , 
and crti <§ crt 2 }. 

It is easy to see that the must-agree predicate actually only depends on the 
crt and not on the other parameters of the proof. We call this property court- 
dependency. 

The key property of unwarranted decisions is that they are time dependent. 
In order to only use warranted decisions when referencing, we define warranted 
subcases as follows: 

Definition 6 (Warranted Subcase). A subcase (df, CaseDesc, ProofTree, crt) 

is warranted with respect to a set N of nodes if the case 
(df, CaseDesc, ProofTree , crt) is consistent where ProofTree is derived from 
ProofTree by replacing every precondition of a node n C N by _L. 

It remains to define when a case law database can be considered to be con¬ 
sistent. To that end, we consider case references and conflicts between cases. 
Starting with the former, we obtain: 

Definition 7 (Correct Case Reference). Let DB be a case law database and 
C = (df, CaseDesc, ProofTree, crt) a case in DB. A leaf node pre —» fact in 
ProofTree annoted with Ref(D) references correctly if D u = (fact, CaseDesco, 
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ProofTreeu , crtp) is a warranted subcase of a case D G DB w.r.t. U(C), 
may-ref(C, D) holds and KBw A pre \= pres D . C references correctly if all its 
leaves annoted with Ref(D) reference correctly. 

Consider that, when referencing a (sub)case D as pre — >• fact from our case 
C at hand, we are essentially saying that the same argumentation applied in D 
can be applied in our case, to prove fact under circumstances pre. So we need to 
show that this applicability of arguments is actually given. This is ensured by 
KBwApre |= pres^, because pres D collects all prerequisites, axioms and otherwise, 
needed to apply D. Note that, if C is consistent, by Definition[4](ii) it holds that 
KEhv A CaseDesc |= pre and thus KBw A CaseDesc |= pres^,. Note further that 
KB\,y A pre |= pres^, defines the role of pre as providing a condition sufficient 
to entail “the other judge’s prerequisites”. As the same applies recursively to 
the case references made in D, we know that pre (given KBw and CaseDesc) 
entails all judge decisions underlying the assessment fact. We will formalize this 
in Theorem [2] 

We are now almost in the position to define consistency at the level of the 
entire case law database. The last missing piece in the puzzle is to identify when 
cases should be considered to be in conflict — which naturally occurs in case 
law databases where different judges may make different decisions. We capture 
this through pairs of cases whose prerequisites are compatible, while their facts 
are contradictory: 

Definition 8 (Case Conflict). Let C\ be a case in DB and C2 be a warranted 
case w.r.t. U(C\). We say that C\ is in conflict with C2 if and only if 

(i) KB W A pres Ci A pres c 2 _L (ii) KB W A factsc 1 A factsc 2 \= A 

(in) must-agree(Ci,C 2 ) 

A case C is in conflict with DB if there is a D G DB s.t. C is in conflict with D. 

We ignore the case descriptions here, other than what is explicitly employed 
as axioms in the proof trees: we consider cases to be in conflict if one could 
construct a case (e.g., pres Cl A pres C2 ) which would make it possible to come to 
a contradictory decision. We define case law database consistency as follows: 

Definition 9 (Case law database consistency). A case law database DB = 
(C, <*, must-agree , may-ref, p, U) is 

(i) case-wise consistent if every C G DB is consistent, 

(ii) referentially consistent if every C G DB references correctly, and 
(in) hierarchically consistent if every C G DB is not in conflict with DB. 

(iv) warrants consistently if for every C holds: U(C) contains all Ref(D) nodes 
where D is an unwarranted subcase w.r.t. U(C). 

We call DB consistent if it warrants consistently and is hierarchically, referen¬ 
tially and case-wise consistent. 

3.3 Deriving Legal Consequences: Deducibility and Permissibility 

In the following we assume that the predicates may-ref and must-agree of the DB 
do not depend on the case description, the decision formula or the proof tree, but 
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are only court dependent, cf. Example [T] As a consequence, we know the value of 
these predicates for formula values and case descriptions which are not contained 
as a case in the database given only the court level of the case. In other words, we 
require an operation DB U {C} that puts G at the end of the timeline regarding 
<t, assigns a fresh identifier i £ C/ to C with p, uses as U(C) := C/(DB), 
and adopts must-agree, may-ref appropriately and is independent of the decision 
formula and the proof tree. This operation is needed to apply the framework to 
situations not contained in the database. 

Obvious applications of our framework are advanced support for case search 
(based on logic operations over the case descriptions, decision formulas, etc.), 
and consistency checking (given a case C, is C consistent and does it reference 
correctly?). A more advanced task is to evaluate the legality of actions given 
the cases reflected in the database. For example, when designing a course ad¬ 
ministration system, one may ask “Am I allowed to store students’ grades in 
the system?” Our formalism supports this kind of question at different levels of 
strength, namely: 

Definition 10 (Deducibility and Permissibility). Let DB = (C, <* 

, must-agree, may-ref. ' p, U) be a consistent CLD, and f a formula. We say that f 
is permitted in DB under circumstances CaseDesc and court crt if there exists a 
case C = (/, CaseDesc, ProofTree, crt) such that ProofTree does not contain nodes 
labeled with Assess, and DB U {C} is consistent (where C is inserted at the end 
of the timeline <t). We say that f is uncontradicted in DB under CaseDesc and 
crt if -if is not permitted under CaseDesc and crt. We say that f is deducible if 
it is permitted and uncontradicted. 

For sets F of formulas, we say that F is permitted in DB under CaseDesc 
and crt if there exists a set of cases {Cf = (/, CaseDesc, ProofTreef, crt) \ f £ 
A} such that every ProofTree f does not contain nodes labeled with Assess, and 
DB U {Cf | f £ F} is consistent (where the Cf are inserted in any order at the 
end of the timeline <t)- 

It might be confusing at first why we attach to / the weak attribute of being 
“permitted” if we can construct a case supporting it. The issue is, both / and 
-i/ may have such support in the same database. This follows directly from the 
freedom of different courts to contradict each other. If two courts at the same 
level decide differently on the same issue, then that is fine by our assumptions. 
Hence, to qualify a formula / for the strong attribute of being “deducible”, we 
require the database to permit / and to not permit its contradiction. 

Note that permissibility and deducibility are also dependent on the circum¬ 
stances CaseDesc and the court crt. For example, when we answer “was it legal 
to send data D to party PI", it matters for which purpose the data was sent. 
That information is contained in the CaseDesc. The court level has several in¬ 
terpretations here: the court might be chosen to match the local court of the 
party asking the question. But the court level can also be viewed as a level of 
confidence. Permissibility is a “stronger” guarantee for lower court instances, 
because we can then deduce without incurring conflicts to instances higher up. 
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Hence lower court instances can be used to obtain permissibility “with high 
confidence”, and contradictions “with low confidence”. Vice versa, higher court 
instances can be used to obtain permissibility “with low confidence” and con¬ 
tradictions “with high confidence”. 

The concept of deducibility of a set F of formulas is interesting because, in 
general, this is not the same as deducing each formula in separation. In partic¬ 
ular, while each of / and -if may be permitted in the same database, {/, ->/} 
is never permitted because adding the hypothetical supporting cases necessarily 
incurs a hierarchical conflict. Permissibility of F is also not the same as per¬ 
missibility of A f because the latter makes a stronger assumption: all cases 
referred to in order to conclude A/eF / mus t have compatible prerequisites. 
So deducibility of formula sets forms a middle ground between individual and 
conjunctive deducibility. 

Theorem 1. There is a consistent case law database DB, case description 
CaseDesc and court crt, such that there is a set F of formulas for each of the 
following properties (in DB under circumstances CaseDesc and court crt): 

(i) For every f € F, f is permissible and F is not permissible. 

(ii) F is permissible, but A/<=_f / not permissible. 

This theorem’s proof and the details of all other proofs are given in the Ap¬ 
pendix IbI 

Characterizing Deducibility. Deducibility is the central concept for answer¬ 
ing questions that are not explicitly answered by the database. However, Def¬ 
inition m does not give an algorithmic description of how to decide whether 
some formula is deducible. It is also inconvenient for proving properties about 
permissibility and deducibility. Thus, we give an equivalent characterization in 
the following. 

Intuitively, a formula should be permissible if there is a set of warranted 
decisions which allow us to conclude the predicate and a formula / should be 
deducible if in addition no set of decisions contradicts /. We will first define 
supporting sets and then prove that the intuition matches the definitions of 
permissibility and deducibility. 

Definition 11 (Supporting set). Let DB = (C, < t , must-agree. may-ref.] /i, U ) 

be a consistent case law database, f a formula, CaseDesc a case description 
and crt a court. A set A of leaf nodes in DB that are labeled with Assess is a 
supporting set for formula f if the following holds: 

( 1 ) KB W A CaseDesc \= f\ {pre ^ fact)GA pre 

(2) KB W A CaseDesc A A {pre ^ fact) gA fact \= f 

(3) KB W A CaseDesc A f\ {pre ^ fact)&A fact ^ _L 

A supporting set is unwarranted if it contains an unwarranted node w.r.t. any 
C G C. If it is not unwarranted it is warranted. 

A supporting set is consistent with DB if DB U {(T, CaseDesc , ProofTree , crt)} is 
consistent, where ProofTree consists of a root node with annotation T and leaf 
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nodes with annotation Ref(C n ) for n £ A, where C n is the case that contains 
node n. 

Note that a supporting set that is consistent with the DB leads to consis¬ 
tency, and correct referencing, and does not create any conflicts. The properties 
required in the definition are a consequence of the definition of database con¬ 
sistency. A case constructed from a supporting set would simply refer to all 
decisions and place the formula at the root. Case consistency requires the prop¬ 
erties ©-© to hold; referential consistency requires that the referenced leaf 
nodes are warranted and hierarchical consistency requires that the supporting 
set is not in conflict with DB. 

The following theorem characterizes permissibility and deducibility using 
supporting sets. This characterization suggests an algorithmic way of deciding 
the properties and gives a tool for proving properties about case law databases. 

Theorem 2. Let DB be a consistent case law database, f a formula, CaseDesc 
a case description and crt a court. The following holds: 

1. C £ DB with warranted node f =>■ 3 A that supports f 

2. f is permitted (under circumstance CaseDesc and court crt) <*=> 3A that 

supports f, is warranted , and is consistent with DB 

3. f is deducible 3A that supports f and is consistent with DB. and V£> it 

holds that B does not support ->f, is unwarranted, or is not consistent with 

DB 

3.4 General Properties of Case Law Databases 

Introducing a new framework always comes with the risk of modeling errors. 
A method for alleviating that risk is to prove properties that the framework 
is expected to have. In order to validate the framework introduced here, we 
have proven that (i) case references do not influence decisions (Theorem [5]) ; 
in this subsection we additionally prove that (ii) consistency is necessary for 
property (i) (Theorem©, and that (iii) neither _L nor {/, —'/} are ever permitted 
(Theorem |3|. 

Regarding (i), we have shown that every formula / in the database can be 
derived from a supporting set of previous decisions (Theorem © with the case 
description and world knowledge. Hence there is no possible interplay between 
case references that would make it possible to prove something not backed up 
by judges’ decisions. 

Regarding (ii), Theorem © implies immediately that, whenever a formula / 
is deducible, then it follows from decisions made by judges in previous cases. It 
is easy to verify that our restrictions are necessary to ensure this, i.e., that this 
property gets lost if we forsake either case-wise or referential consistency: 

Theorem 3. Let DB be a case law database, and let f be any formula that does 
not entail _L. Then there exist cases C\ and C 2 , each with root node f and the 
empty case desc T, such that (inserting Ci at the end of the timeline <t)'- 

— If DB is case-wise consistent, then so is DB U {C 1 }. 
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— If DB is referentially consistent, then so is DB U {C 2 }. 

— If there is a crt such that must-agree(crt) = 0, then in addition this holds: 

for each of i = 1,2, if DB is hierarchically consistent, then so is DBU {Ci}. 

We remark that, by restricting the formula / only slightly, the proof of The¬ 
orem [3] can be strengthened so as not to have to rely on a maximal court for 
ensuring hierarchical consistency. In particular, if / is made of predicates that 
do not occur anywhere in the case law database, then the cases C\ and C 2 as 
constructed cannot be in conflict with any other cases, thus preserving hierarchi¬ 
cal consistency for arbitrary courts crt. We finally prove (iii), non-permissibility 
of either _L or {/, —>/}: 

Theorem 4. The formula _L is not permitted in any case law database DB, 
under any circumstances CaseDesc and court crt. The same holds for {/, ->/} if 
crt £ must-agree(crt). 

3.5 Privacy Cases and Norms 

We now point out an interesting property of privacy cases, and of case law 
databases consisting only of privacy cases. We call such databases privacy case 
law databases. 

Rule based privacy policies are a well established and widely used concept. 
The rules that are used are usually reflected by norms defining privacy regula¬ 
tions. However, neither rules nor norms are reflected in the case law framework. 
In this subsection, we show that we can use a natural definition of norms that 
can be extracted from privacy cases. In addition, it is possible to transform a 
privacy case to a normal form such that a norm that decides the case is repre¬ 
sented. Consequently, we also consider norm extraction as a reasoning task in 
Section Q] 

At the core of privacy regulations are positive and negative norms, as in¬ 
troduced by [10]. Positive norms are permissive in the sense that they describe 
conditions that allow transactions with personal data (<j> =>• isJegaLaction(a)). 
Negative norms, in contrast, define necessary conditions for such transactions, 
i.e., they forbid transactions with personal data unless certain conditions are 
met (</> =>■ -iisJegaLaction(a)). We formulate negative norms as conditions that 
lead to the denial of transactions. 

Definition 12 (Norms). Let a £ Actions. A norm is a formula that has the 
form (f => p where isJegaLaction(a) does not occur in cj). The norm is a positive 
norm, denoted <f> + , if p = isJegaLaction(a) and a negative norm, denoted (j>~, if 
p = ~^isJegaLaction(a). A norm f> decides p given f if KBw A f \= (f>. 

In the case law framework, norms are hidden by judges’ assessments. How¬ 
ever, in the spirit of Theorem [5] norms are reflected by sets of cases that could 
be referenced in order to support either the legality of an action (positive norm) 
or its illegality (negative norm). In the following theorem, we show that we can 
extract a norm for every privacy case avoiding the recursion of Theorem [2l 
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Theorem 5. Let DB be a consistent privacy case law database and 
C = {df, CaseDesc, ProofTree, crt) £ DB. Then there is a norm 
<fi that decides df given CaseDesc. In particular, there are formulas 
(fwi&S such that isJegaLaction{a) does not occur in these formulas and 
(1) factsc => fiw A ( 4>s => df) (2) (fw A (f>s => df) => df 

The formulas (f>w and 4>s can be used to construct a normal form of privacy 
cases. In particular, this normal form is consistent and allows reading off norms. 

Corollary 1 (Normal forms). Let DB = (C,< t , must-agree, may-ref, p,U) be 
a privacy case law database, C = ( df, CaseDesc, ProofTree, crt) £ DB be a case, 
and D be the set of C’s leaf nodes. N(C) is the case that consists of a root 
node df. two inner nodes f> w and 4>s => df and the leaf nodes D as children of 
both inner nodes. We call N(C) the normal form of C. If DB is consistent, then 
(C\{C} U {N(C)}, <t) is also consistent (where N(C) is placed at the position 
of C w.r.t. < t ). 

In order to define N(C), we need to duplicate the leaf nodes since the trans¬ 
formations to get 4>w and 4>s ignore which fact is needed to get the corresponding 
formula. Thus, a leaf node’s fact could end up in both formulas (f>w and <f>s- 

In conformance with uni, we can conclude from deducibility of an action that 
there is a positive norm supporting it and show that no negative norm can be 
applied, i.e., all negative norms are respected (Theorem [fj . 

4 Reasoning Tasks 

We now discuss the reasoning tasks associated with our framework — how to 
answer questions such as “are we allowed to send data D to some party P?” 
— in more detail, giving an algorithm sketch and brief complexity analysis (in 
terms of the number of reasoning operations required) for each. 

Consistency. Analyzing and keeping the state of the case law database consis¬ 
tent is of vital importance for its usefulness; cf. Theorem[4] As in the definition of 
consistency, we split the task of checking consistency into case-wise, referential, 
and hierarchical consistency. Due to their simplicity, we postpone the detailed 
description of their algorithms to the appendix. 

All of these properties are defined per case, i.e., the case wise check of the 
corresponding property has to be repeated |DB| times. Following the respective 
definition, checking case consistency costs | ProofTree + 1| entailment operations 
and checking correct referencing for C costs references(C) where references^) is 
the number of nodes in C annotated by Ref(D). Hierarchical consistency can be 
checked along the time line < t only testing for conflicts with earlier cases. So for 
the i-th case, we need at most (i — 1) • 2 entailment checks, since every conflict 
check requires 2. Consequently, we require |DB| • (|DB| + 1) entailment checks. 

The property whether the case law database warrants consistently can be 
checked using one entailment test per reference to a subcase containing an un¬ 
warranted decisions node. 
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Deducibility and Permissibility. As deducibility amounts to two consecutive 
permissibility checks, we consider the latter exclusively. We are given a database 
DB, a formula whose permissibility should be checked, as well as a case de¬ 
scription CaseDesc and a court crt forming the circumstances.By Theorem [2J 
permissibility is equivalent to the existence of a supporting set A for / that 
is consistent with the database. Thus the task of permissibility, i.e., giving a 
“yes” vs. “no” answer, can be reduced to checking the existence of a suitable 
set A. If the answer is “yes”, we can also output a witness, i.e., a hypothet¬ 
ical case C showing permissibility. A straightforward means for doing this is 
to set C := (/, CaseDesc, ProofTree, crt) where ProofTree consists of root node 
/, one leaf node l labeled with Ref(D) for every D G A, as well as one leaf 
node KBw A CaseDesc labeled with Axiom. For convenience, we will denote this 
construction by C(A). See Algorithm [TJ 


Algorithm 1: Permissibility 


Input : A formula /, case description CaseDesc, court crt, and a consistent 
CLD DB 

Output: A case C = (/, CaseDesc, ProofTree, crt) such that DB U {C} is 

consistent (where C is set to be the maximum w.r.t. <t), or _L if no 
such C exists 

1 Test whether KByy A CaseDesc |= _L. If so, output _L. 

2 Test whether KBw A CaseDesc |= /. If so, output 

(/, CaseDesc, ProofTree, crt) where ProofTree is the proof tree consisting of a 
leaf node labeled by Axiom containing /. 

Set N := 0. 

for every D G DB and every ( pre —¥ fact) G D labeled Assess do 
Check if KB w A CaseDesc f= pre 
Check if KB w A CaseDesc A fact ^ A. 

If both checks succeed, set JV := JV U {(pre —> fact)}. 


3 

4 

5 

6 

7 

8 end 


9 for A G 2 ^ do 

Check that KBy^ A CaseDesc |= A(p re ->fact)e.4 P re 
Check that KBy^ A CaseDesc A A(p re ->fact)6.A ^ act N f 
Check that KBy^ A CaseDesc A A(p re ->fact)6.4 ^ act -*- 
for every E G DB with crt <§ crtE do 
[ Check that E and C{A) are not in conflict (cf. Algorithm [4}. 
end 

If all three tests succeed, go on with step 1181 otherwise continue with 
the next D. 

17 end 

18 If a set A succeeded, output C(A), otherwise output _L. 
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12 

13 

14 

15 

16 


The correctness of the algorithm is shown by Theorem [2j lines 10-12 check 
that the set supports / and lines 13-15 ensure that it is consistent with the 
database. In contrast to our previous algorithms, deducibility checking as per 
Algorithm |T| requires an exponential number of entailment checks in the worst 
case (a trivial bound is in the order of 2 N where N is the number of decision nodes 


18 






in the database). This raises the questions (1) whether or not this exponential 
overhead is inherent in the complexity of deciding permissibility, and (2) whether 
it is possible to encode the permissibility test directly into the logic instead. In 
what follows, we shed some light on (1) and (2). 

The answer to (1) is a qualified “yes” in the sense that permissibility checking 
essentially pre-fixes entailment checks with an existential quantifier. As entail- 
rnent checks correspond to universal quantification, this intuitively means that 
for permissibility we need to test the validity of a 3V formula, instead of a V 
formula for entailment. So we add a quantifier alternation step, which typically 
does come at the price of increased complexity. This line of thought also imme¬ 
diately provides an intuitive answer to question (2), namely “yes but only if the 
underlying logic contains 3V quantification”. 

Of course, both these answers are only approximate and only speak in broad 
terms. Whether each is to be answered with “yes” or “no” depends on the precise 
form of the logic, and on what kind of blow-up we are willing to tolerate. To 
make matters concrete, we now consider three particular logics, namely first- 
order predicate logic, description logic (more specifically a particular version 
of ACC) and propositional logic (i.e., first-order predicate logic given a finite 
universe and without quantification). We start with the latter. 

In what follows, say we need to check whether formula / is permitted in 
DB under circumstances CaseDesc. We abstract from the complications entailed 
by maintaining hierarchical consistency, and assume that for ert, it holds that 
must-agree(crt) = 0. 

Theorem 6. For propositional logic, deciding permissibility is Elf-complete. 

Proof sketch. The set Elf = NP np , so containment is shown by guessing a 
supporting set and verifying its properties using an NP oracle. For the hardness 
we encode an QBF formula 3 x\/y : (j)(x, y) in permissibility request for case law 
database. We do this by encoding all possible values for x in the database and 
asking for the permissibility of <fi(x, y). Details can be found in Appendix IB. 71 

As entailment testing in propositional logic is only coNP-complete, Theo- 
rem[5]answers question (1) with “yes”, and answers question (2) with “no, unless 
we are willing to tolerate worst-case exponentially large formulas”. Unsurpris¬ 
ingly, the answers for first-order logic are different: 

Theorem 7. Permissibility is equivalent to satisfiability of a formula whose size 
is polynomial in the size of DB. CaseDesc, and f for 

(1) first-order logic. 

(2) the description logic ACC with concept constructors fills and one-of by role 
constructors role-and, role-not, product, and inverse @ 

Proof sketch. The result in m shows equality of expressivity of first-order logic 
with at most two free variables. Thus we construct a suitable formula for the 

' For details on this instance of ACC, please consult mi- 
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first part. We do this by using existantial quantification in order to choose a 
warranted supporting set and then design the formula such that it is satisfiable 
if and only if the consistency properties of the case holds that can be constructed 
from that supporting set (i.e., the case potentially output by Algorithm [T]) . All 
parts that are not choosen by the existantial quantifier will be equivalent to T. 
Details can be found in Appendix IB. 81 

Norm extraction. As seen in Section RT51 privacy cases induce normative rules. 
The format of rules gives the advantage that these are easy to enforce and bridge 
the gap towards privacy policies. As shown by Theorem [5] we extract a norm 
for every case in the database. The assumption is that the case is consistent 
with respect to an underlying consistent privacy case law database DB. The 
algorithm is postponed to the appendix (Algorithm [5]) . It basically turns the 
proof of Theorem [5] into an algorithm transforming the logical formula of the 
case’s facts. 

Let / be the size of the biggest formula in the leaves of C and n the number 
of nodes in C. Then the size of the norm can become 0(2f ■ n + |pre c |). The 
computation needs operations linear in that size. However, there is no need for 
any operations to decide |= in order to solve this reasoning task. 

5 Logic Selection 

For modeling purposes — naturally modeling the background knowledge base, 
the detailed aspects characterizing a case description, and the reasoning applied 
in arguments — as well as for computational purposes — effectively realizing 
the desired reasoning tasks — the choice of logic is, of course, of paramount 
importance. The only hard requirement (“must have”) that the logic, £, must 
meet is: 

(i) Sufficient expressivity to tackle our framework and reasoning tasks. Pre¬ 

cisely, the minimal requirement is for C to provide a language Cjr for for¬ 
mulas, with reasoning support for tests of the form (a) H an d (b) 

A|= ip- These are the only tests our reasoning tasks demand from the 
underlying logic. If £jr is closed under conjunction and contains _L (as will 
be the case in our logic of choice), the requirement simply becomes to be 
able to test whether <f>\= ip. 

The soft requirements (“nice to have”) on the logic are: 

(ii) Suitable for modeling real-world phenomena and knowledge, ideally 
an established paradigm for such modeling tasks. 

(iii) Decidability, and as low complexity as possible, of the relevant rea¬ 
soning (e.g., satisfiability checks; cf. (i)). 

(iv) Effective tool support established and available. 

What we have just outlined is essentially a “wanted poster” for description logic 
(DL) [B]. This is a very well investigated family of fragments of first-order logic 
(several decades of research in AI and related areas), whose mission statement 
is to provide a language for modeling real-world phenomena and knowledge 


20 



(ii), while retaining decidability and exploring the trade-off of expressivity vs. 
complexity (iii). Effective tool support (iv) has been an active area for two 
decades. Every DL provides a language to describe “axioms”, and even the most 
restricted DLs (in particular, the DL-Lite family m which constitutes the “lower 
extreme” of the DL complexity scale) make it possible to answer queries about 
the truth of an axiom relative to a conjunction of axioms, which is exactly the 
test we require. 

To make things concrete, we briefly consider the description logic attributive 
concept language with complements , for short ACC, which was introduced in 1991 
[31] @ and is widely regarded as the canonical “basic” description logic variant 
(most other DLs extend ACC, in a variety of directions). Description logic is a 
form of predicate logic that considers only 1-ary and 2-ary predicates, referred 
to as concepts and roles , respectively. Assuming a set Nq of concept names and 
a set Nr of role names, DL makes it possible to construct complex concepts, 
which correspond to a particular subset of predicate-logic formulas with exactly 
one free variable. For ACC, the set of complex concepts is the smallest set such 
that 

1. T, _L and every concept name A £ Nq are complex concepts, and 

2. if C and D are complex concepts and r £ Nr, then CnD, CUD, ->C, Vr.C, 

and 3 r.C are complex concepts. 

Here, 13 denotes concept intersection (logical conjunction), U denotes concept 
union (logical disjunction), and -<C denotes concept complement (logical nega¬ 
tion). Vr.C collects the set of all objects x such that, whenever x stands in 
relation r to y, y £ C. Similarly, 3r.C collects the set of all objects x such that 
there exists y where x stands in relation r to y and y £ C. 

ACC allows concept inclusion axioms, of the form CCD, where C,D are 
complex concepts, meaning that C is a subset of D (universally quantified logical 
implication). ACC furthermore allows assertional axioms, of the form x : C or 
(x, y) : r, where C is a complex concept, r is a role, and x and y are individual 
names (i.e., constants). An ACC knowledge base consists of finite sets of concept 
inclusion axioms and assertional axioms (called the TBox and ABox respec¬ 
tively), interpreted as conjunctions. The basic reasoning services provided by 
ACC (and most other DLs) are testing whether a knowledge base KB is satisfi- 
able, and testing whether KB |= <p where <p is an axiom. These decision problems 
are decidable, and more precisely, ExpTime-complete for ACC. (In some DL-Lite 
variants, the decision problems are in NP, or even polynomial-time solvable.) 

For our purposes, we can assume as our formulas Cr conjunctions of axioms, 
i.e., the smallest set that contains _L, all axioms of the underlying DL (e.g., ACC), 
as well as (pAip if <p and ip are members of Cr. In order to test whether <p |= ip, we 
then simply call the DL reasoning service “<p |= f/’i?” for every conjunct ipi of ip 
and return “yes” iff all these calls did. In other words, we may use conjunctions 
of DL axioms in the knowledge base, case descriptions, and proof tree nodes. 

8 For a comprehensive overview of current techniques and results regarding ACC, see 

0 . 
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6 Conclusion 


In this paper, we introduced PriCL, the first framework for automated reasoning 
about case law. We showed that it complies with natural requirements of con¬ 
sistency and tailored the framework for privacy case law. Moreover, we showed 
a tight connection between privacy case law and the notion of norms that un¬ 
derlies existing rule-based privacy research. We identified the major reasoning 
tasks such as checking the case law database for consistency, extracting norms 
and deducing whether an action is legal or not. For all these tasks, we gave al¬ 
gorithms deciding them and we did an analysis that leads to ACC as a suitable 
instantiation for the logic. In particular, ACC provides efficient realizations while 
being sufficiently expressive and suitable for modeling real-world phenomena and 
knowledge. 

For future research, we need to construct a significantly large data base con¬ 
sisting of real world cases. Here, the challenge is to differentiate between state¬ 
ments made as world knowledge statement, those made because of the case 
descriptions and those referenced. The reason for this is that there is no clean 
language-wise separation in the argumentation. 
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A Postponed Algorithms for Reasoning Tasks 

A.l Database Consistency 

Here, we present the algorithms for consistency that were postponed in Section[4] 

Algorithm [2] can be used to decide case consistency, Algorihtm [3] can be used to 

decide referential consistency and Algorithm [5] can be used to decide hierarchical 

consistency. 


Algorithm 2: Case consistency 

Input : A case C = (df, CaseDesc, ProofTree, crt) 

Output: T if C is consistent and _L otherwise 

1 Check that KBw A CaseDesc |= pres c . 

2 Check that KBw A CaseDesc A factsc y= _L. 

3 For every leaf node n in ProofTree labeled with Axiom, check that 
KB w A CaseDesc |= n. 

4 For every inner node n in ProofTree annotated by AND with child nodes 
ni ,...,nk, check that Ai<i<fc n i 1= n - 

5 For every inner node n in ProofTree annotated by OR with child nodes 
ni,...,n k , check that Vi<i<fc n i [= n - 

6 If all checks succeed output T; otherwise output _L. 


A.2 Algorithm for Norm Extraction 

Algorithm [5] can be used in order to extract a norm from a privacy case. 
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Algorithm 3: Referential consistency 
Input : A case C = (df, CaseDesc, ProofTree, crt) and a case law database DB 
Output: T if C is referentially consistent w.r.t. DB and _!_ otherwise 

1 for every subcase D referenced by leaf node pre — » fact do 

2 | check that KB w A CaseDesc A pre |= pres D 

3 end 

4 If all checks succeed output T; otherwise output _L. 


Algorithm 4: Case-wise hierarchical consistency 

Input : A case C = (df, CaseDesc, ProofTree, crt) and a hierarchically 
consistent CLD DB 

Output: T if DB U {C} is hierarchically consistent (where C is set to be the 
maximum w.r.t. <t) 

1 for every D £ DB for which crt <§ crtp do 

2 check that KB^ A pres c A pres D ^ -L 

3 check that KB w A df A dfo |= A. 

4 If both checks succeed output A. 

5 end 

6 Output T. 
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B Postponed proofs 

B.l Proof of Theorem [l] 

Proof. We define CaseDesc := A for a predicate A and consider the court set 
Courts = {ifj, Hi , H 2 } such that H l <§ H J iff z < j implies must-agree and 
may-ref as in example [T] 

Let Assess(/) be a proof tree consisting of a single assessment node as root 
node that contains T — > f and, for a case C and a formula /, let Ref(C, /) be 
the proof tree consisting of a single case reference node that refers to C and 
contains the formula T —> f. Let B ^ Abe some predicate. The database DB 
consists of the following cases: 

- Ci = (p, T, Assess(p), Hi) 

- C 2 = (-'P, T, Assess(-ip), H\) 

- C 3 = (A => B, T, Assess(A => B),H\) 

- C A = (B => -iA, T, Assess (B => -.A), #£) 

The time order <t is given by < on the indices. 

The database is obviously consistent. Let ert = H 2 . 

1 . Define the set F := {p, ->p}. The formula p is permitted by DB for case 
description CaseDesc and court ert, since (p, CaseDesc, Ref(Ci,p), ert) is a 
case as required by Definition 1101 The same holds for -1 p. 

Assume that F is permitted. Then there are cases C P ,C^ P such that DB U 
{ C p , CC P } is consistent. However, C p and CC P are in conflict and are at the 
same court level, i.e., either must-agree(C' p , CC P ) holds or must-agree(CC p , C p ) 
depending on the order in which the cases are inserted in DB. As a con¬ 
sequence, DB U {C'pjC'-.p} cannot be hierarchically consistent. Thus, that 
database cannot be consistent either. Therefore, F cannot be permitted. 

2 . Let /1 = A => B, / 2 = B =>■ ->A, and F = {/1, /2}- It is easy to see that 
for a case C/ lA / 2 it holds that KB w A CaseDesc A factsc |= _L if C3 and 
C4 are referenced. That means the case is not consistent. However, without 
referencing these cases it is impossible to prove /1 A /2 as a decision formula 
within DB. 

The set F is permitted. Since Cf i: Cf 2 as constructed in the proof of |T| 
are consistent. These cases are also not in conflict. In order to prove the 
absence of a conflict, we have to check that KBiy A pres Cl A pres^ ^ -L and 
KByv A facts^ A factsc 2 1 = -L. While the first condition is met, the second 
does not hold, since we need CaseDesc = A to entail _L. 


□ 


B.2 Proof of Theorem [2] 

Proof. We prove the theorem step by step in the same order the claims are 
defined. 
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1. We show a stronger statement for CaseDesc = pres c (since C is consistent it 
has to hold that KBw A CaseDesc \= pres c ). 

We start with A c as the set of all leaf nodes of C that are annotated by 
Assess and Ref(D) for some D. For this set all properties (JTJ ([3]) of Defini- 
nition [TT| clearly hold by consistency of C. However, the set might contain 
nodes labeled with Ref(-D) which we need to replace in order to fulfill this 
criterion of the Theorem, as well. 

For a fixed leaf formula (pre —> fact) € A c corresponding to a Ref(D) leaf 
node, take the set A D for D defined as A c for C. By consistency of D , 
we get (a) and (b) for CaseDesc^ = pres^, and / = fact. By referential 
consistency it holds that KBw A pre |= pres^,. Therefore, if we replace A c 
by .4 c \{(pre — > fact)} U.4 D , property (a) holds for C and the new A c since 
KB^yApre |= pres^,. Property (b) also transfers to the new set, since (b) holds 
for the old set and (b) holds for D and A D with respect to CaseDesc^ = pres^, 
and / = fact. 

The process of successively replacing Ref(D) nodes in A c terminates since 
A d only contains Ref(E) leaf nodes for E < re f D and DB is finite. 

Our proof above actually shows that KB w A pres c A A( pre ^fact)e .4 f act H 
factsc, hence (c) follows from consistency of C. 

2. The direction =>■ follows from the first part of the proof since permissibility 
implies that we can add a case as specified. So consider <s=, i.e., let A be a 
set supporting for / in circumstances CaseDesc for a court crt. 

We can construct a case C by referencing all these decisions and putting / 
in a root node that has all these references as child nodes. The properties 
(H|) @ of A (Definition fill) imply consistency of C. The requirement that 
the nodes are warranted and that C is at the end of the timeline implies 
that we reference correctly. 

The DB U {C} is also hierarchically consistent since C does not introduce 
new conflicts. Otherwise A would already be in conflict with DB. 

3. The direction => follows immediately from the previous part of the proof 
since / is deducible if / is permitted and —>f is not permitted. The other 
direction also follows from the previous part since the existence of A implies 
that / is permitted and the non-existence of support for —>f is implied by 
the requirement of B. 


□ 


B.3 Proof of Theorem [3] 

Proof. Let crt be a court with must-agree(crt) = 0. For C\, select an arbitrary 
D € DB, and construct ProofTree containing root node / and a single leaf 
node (T —> /) labeled with Ref(D). Define C± := (/, T, ProofTree, crt). Then 
DB U {Ci} is case-wise consistent since DB is case-wise consistent (note that 
we do not enforce referential consistency, so ignore whether or not / is actually 
decided by D). Hierarchical consistency holds simply because Ci does not need 
to reference other cases. 


27 


For C 2 ,construct ProofTree containing the single node / labeled with Axiom. 
Define C 2 := (/, T, ProofTree, crt). This case is not consistent; however, DB U 
{C 2 } is referentially consistent simply because C 2 does not make any references. 
Hierarchical consistency holds for the same reason as before. □ 

B.4 Proof of Theorem [4] 

Proof. For _L, this holds simply because deducibility requires us to construct a 
consistent case with root node J_, and any case C one of whose nodes is _L is 
not consistent. To see the latter, just note that, if C was consistent, then by 
Definition [4] (v) it follows that factsc |= _L, which by Definition [4] (iii) means 
that C is not consistent. 

For {/, —'/}, assume to the contrary that there exist cases Cf = (/, CaseDesc, 
ProofTree/, crt) and CC/ = (->/, CaseDesc, ProofTree-,/, crt) such that ProofTree/ 
and ProofTree^/ do not contain nodes labeled with Assess, and DBU{C/, C-,/} is 
consistent (where the new cases are inserted in any order at the end of the time¬ 
line <t). But since crt £ must-agree(crt), the latter one has to respect the first 
one. We show that Cf and C-,/ are in conflict, thus contradicting the hierarchical 
consistency of DBU{C/, C—,/}. Obviously, KB^Afactsq/ Afactsc^ |= fA~>f |= T. 
It remains to show that KBwApres C/ Apres c _L. By consistency of each of Cf 
and C-,f, we get (a) KB^ ACaseDesc ^ T, (b) KB^/ACaseDesc |= pres C/ and (c) 
KBwACaseDesc |= pres c . Putting (b) and (c) together gives KBwACaseDesc |= 
pres C/ A pres c , which with (a) shows KB W A CaseDesc A pres C/ A pres^ T, 
which is stronger than what we needed to prove. Therefore, {/, ~>f} is not per¬ 
mitted in DB. □ 

B.5 Proof of Theorem [5] 

Proof. We show the statement for df = isJegaLaction(a) for some a. The proof for 
-iisJegaLaction(a) is analogous. Given consistency of C, we get that factsc |= df. 
Transforming factsc to a CNF formula, we can write factsc as (fw A (f>L where 
isJegaLaction(a) only occurs in <\>l. Since (fw A 4>l \= isJegaLaction(a) we can 
assume that </>l does not contain -iisJegaLaction(a). Otherwise we could remove 
the -iisJegaLaction(a) maintaining the property of f>w A cpL |= is_legal_action(a). 
Every literal l :! of the formula </>l has the form is_legal_action(a) V Vi<i<fc x ii 

which is equivalent to ( -1 xf) => is_legal_action(a). Hence, we can write (f>L 

1 <i<k 

= :r j 

as (Vi <j<m r i) isJegaLaction(a). We define <j> s := Vi <j< m r j and S et 

4>w A {<t> s => is_legal_action(a)) |= is_legal_action(a) 

where neither cfw nor f>s contain isJegaLaction(a). Therefore, it must hold that 
4>w 1= 4>s- However, this argumentation was only applicable in the case C since 
KB\y A CaseDesc |= pres c . Hence we can derive the norm <f> + := pres c A (f>s as 
positive norm. □ 
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B.6 Proof of Corollary |T] 


Proof. The consistency of N (C) follows from the previous theorem. The leaves of 
N(C) are the same as the leaves of C, and thus referentially consistency follows 
from C s referential consistency. In addition, df of N(C), as well as pres c of 
N(C), are the same as of C, and thus N(C) is in conflict with a case iff C is. 
Therefore, hierarchical consistency is also maintained. □ 

B.7 Proof of Theorem [6] 

Proof. Recall that Af = NP NP . Membership follows because we can guess the 
set A and check, using an NP oracle, the three entailment tests |T|[11). The 
consistency of the set with DB can also be answered by the NP oracle since 
verifying a conflict can be done in polynomial time. 

For hardness, consider a QBF formula of the form 3XVY(f>(X, Y) where each 
of A' and Y are variable sets and 4>(X, Y) is an arbitrary propositional formula in 
the variables A' UF. Testing validity of 3X\/Ycf>(X, Y) is A^-hard. To polynomi- 
ally reduce this to permissibility testing over a propositional logic, we construct 
a corresponding case law database DB as follows. For each x £ X , DB includes a 
case (a:, T, ProofTree, crt) where ProofTree consists of a single Assess node of the 
form T —>- x, as well as a case (->x, T. ProofTree, crt) where ProofTree consists of 
a single Assess node of the form T —> -*x. In other words, for each x we have 
both truth-value decisions available for A to choose from. We set / := (j)(X,Y). 
Obviously, this reduction is polynomial in the size of the formula 3A'VT 4>{X, Y). 
To see that the reduction is correct, observe that / is permitted in DB iff there 
exists a truth assignment a to X which, viewed as a conjunction of literals, en¬ 
tails <j)(X,Y), i.e., a |= (f(X,Y). The latter is the case iff there exists a s.t., for 
all truth assignments to Y, <j>{a{X),Y) is true (where (j>(a(X),Y) instantiates 
each x £ X with a(x)). This, finally, is the case iff 3XVY<j)(X, Y) is valid, which 
is what we needed to show. □ 

B.8 Proof of Theorem [7] 

Proof. According to [14], the expressiveness of the description logic ACC ex¬ 
tended concept constructors fills and one-of by role constructors role-and, 
role-not, product, and inverse is equal to the expressiveness of first-order 
predicate logic with predicates of arity at most 2 and at most 2 free variables 
(in any subformula). Consequently, we show that the construction for first-order 
logic increase neither the arity of predicates nor the number of free variables. 

Let C = (ni = (pre : —>• facti rik = (pre fc —> fact*,)} be the set of all 
warranted leaf formulas of cases C' £ DB with label Assess. We need to construct 
a first-order formula <p that is valid iff there exists ACC such that the three 
implications (1-3) of Definition |TT] hold. Our idea is to encode the choice of 
that subset as an “on/off switch” associated with each nt. The switch will be 
realized through an existential quantifier over x\,... ,Xk and a unary predicate 
chosen; for every i £ {1,..., k} which we add to the FOL signature (w.l.o.g. all 
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chosen^ do not occur in any pre; or fact;). The meaning of the predicate is that 
chosen; (a;;) holds if and only if n; is chosen for the set A. 

We next define the formulas ^>f reSwltch := (-ichosen;(x;)Vpre;) and <A actSwltch := 
(-chosen.; (a;;) Vfact;) to implement our switches. Note that, if for a;; it holds that 
-chosen;(x;), then both 0P reSwltch an d ^factSwitch s i m pbfy to T; if for X; it holds 
that chosen;(x;), then 0P reSwltch simplifies to pre; and <A actSwltch simplifies to fact;. 
Using these building blocks, we define our correspondences to the implications 
(1 3), as follows: 


( 1 ) </»(!) 
( 2 ) 0 ( 2 ) 
(3) <A 3) 


KBvu A CaseDesc =► A- = i C'”- 
KB W A CaseDesc A A'Ll $ actSwitch => /. 
-.(KB w A CaseDesc A A-=i ^ actSwitch => _L). 


Our formula <p then is defined simply as <f> := pP A (jP^ A (jP\ We now prove 
that <p is satisfiable iff there exists ACC such that the three implications (a-c) 
hold. 

“<=”: Assume there is a set A such that the implications (1-3) hold. We define 
an assignment a for the Xi as follows: if (pre; — > fact;) G A, then chosen;(a;) = T 
and otherwise chosen; (x) = _L. Then Ai 0? reSwltch reduces to A(p re ->-fact)e -4 P re 
and Ati 4 actSwltch reduces to A( pre ^fact)e^ fact - Thus ; (!) implies /, a |= p 1 ), 
(2) implies J, a \= p 2 ^ and (3) implies /, a \= (jP ) for every FOL interpretation 
I. Consequently, <p is satisfiable. 

Now assume </> is satisfiable, i.e., there is an interpretation I such that 
I \= (f> holds. Therefore, there is an assignment a for the a;; such that /, a \= 
<jp} A p 2 ' 1 A p 3 \ For such an assigment a, we define A := {(pre; —> fact;) | 
I, a |= chosen.;(x;)}. For this set A the formulas p 1 ^ , p 2 ) , ^>( 3 ) can be reduced as 
in i.e., the conditions (1-3) hold. 

We cannot apply the result of [TJj directly, since the xi,...,Xk introduce 
many free variables in p 1 ^ Ap 2 ^ Ap 3 ^. To clarify how we can reduce this number, 
we consider the formula 3aq , ... ,Xk : <p which is satisfiable iff </> is satisfiable. 

The formula qP' 1 is logically equivalent to KBw A CaseDesc A Af=i 0f actSwltch . 
Calling this formula p 3 \ it follows that p 2 ) A (jP ) is equivalent to p 3 ) A / and 
(A 1 ) A <A 2 ) A (jP ) is equivalent to p 3 ^ A / A A;=i 0 f reSwltch . By reordering the 
conjunctive literals, we get 


k 

KB W A CaseDesc A / A f\ (A preSwitch A <A actSwitch ) 

i= 1 


By definition ^P reSwltch /\ ^factSwitch e q U i va l en t to ip%(xi) = -chosen.; (x;) V 
(pre; A fact;)). Now, the variable X; occurs only once in the whole formula. This 
allows us to rewrite <p as formula ip := 

k 

KB w A CaseDesc A / A ((3x; : -chosen;(x;)) V (pre; A fact;)) 

2=1 
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Here it is easy to see that the transformations of E3 are applicable to the for¬ 
mula ip leading to a description logic expression if and only if they are applicable 
to KEhy, CaseDesc, /, pre.j, and fact;. However, since we these formulas are formu¬ 
lated in the same description logic, it follows that the mentioned transformation 
is applicable leading to a description logic expression for ip. □ 
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